Page 1 of 1
posts?
Posted: Thu Nov 29, 2007 12:13 am
by FireElement
Is there away to attach your server address to all posts.
For example so that when anything is posted from your server it puts a tag on the post and checks that the tag has your server address on it when it reaches the other page.
Kind of like a pointer.
so you have typical form.
<form name="test" method="post" action="index.php">
<select name="test_select">
<option> so on ......
</select>
</form>
So basically test_select on post would get my server adress taged to it and if when it got back to same page or to a new page it would check the tag on it was from my server and if not obviously the post has not come from my page. Or away to put a password on it in a tag that would be hidden in the php in the page and then when the post got to the new page it would check the post had this password tag attached...
Just for wondering?
Or some way to check that the post has come from your server?
Posted: Thu Nov 29, 2007 1:28 am
by jmut
You cannot rely on this... anyone can spoof your form and your server will be fooled.
I think you should look for CSRF
http://shiflett.org/articles/cross-site ... -forgeries
There was some very good topic in this forum about preventing with temp form token etc etc.
But in general this is not something you can 100% percent prevent. The best you should do is validate/escape all expected input accordingly and not care
what source of it is.
Posted: Thu Nov 29, 2007 8:42 am
by FireElement
jmut wrote:You cannot rely on this... anyone can spoof your form and your server will be fooled.
I think you should look for CSRF
http://shiflett.org/articles/cross-site ... -forgeries
There was some very good topic in this forum about preventing with temp form token etc etc.
But in general this is not something you can 100% percent prevent. The best you should do is validate/escape all expected input accordingly and not care
what source of it is.
Yeah I already looked in to that!
It does not work if you pass the data back to the same form... and if they send dodgy stuff to your select boxes then you have to make sure all selections are correct. Which is not really a problem I just wanted to find out if someone was trying to hack my site and ban there IP address. So if they tried to post something that did not have this invisible tag then your blocked sucker! see you around or not! haha
Posted: Thu Nov 29, 2007 9:29 am
by jmut
FireElement wrote:jmut wrote:You cannot rely on this... anyone can spoof your form and your server will be fooled.
I think you should look for CSRF
http://shiflett.org/articles/cross-site ... -forgeries
There was some very good topic in this forum about preventing with temp form token etc etc.
But in general this is not something you can 100% percent prevent. The best you should do is validate/escape all expected input accordingly and not care
what source of it is.
Yeah I already looked in to that!
It does not work if you pass the data back to the same form... and if they send dodgy stuff to your select boxes then you have to make sure all selections are correct. Which is not really a problem I just wanted to find out if someone was trying to hack my site and ban there IP address. So if they tried to post something that did not have this invisible tag then your blocked sucker! see you around or not! haha
And so will be all other users behind same ip address... you should rethink your block-sucker technology

so be it!
Posted: Thu Nov 29, 2007 9:40 am
by FireElement
haha well thats just unlucky I mean if some one is using a uni proxy and cant get on the site so be it.... actual I think your right!
But untill the site gets a login area and we can block the user via username that will have to do!
Also what would happen is the user ip address would get noted! If there was not many posts from this IP address or the ones that was posted where well spam! then the user would be blocked and justice served!
I mean if its not productive towards the site what is the point! The draw back of this is that if the user comes from uni proxy where not many people know the site then it be blocked.
I was going to put in a link you just click to say unban me and then if enought users clicked this then it be unbaned but by this point I think they probable be put off. Although they could just use the site at home?
I think this is a good idea till we develop login area

Posted: Thu Nov 29, 2007 9:55 am
by jmut
I read your first post again...and I am getting confused to what you're trying to achieve...is it you have sort of public available test environment...and until you're done you don't want potential problems from outside? If so just apache-password-protect your document root and you're all set for development / testing....Other than that in long run you'll need test environment separate from life...so maybe think about it up front.
If that is not your concern I really don't see what your point is
